Opened 3 years ago
Last modified 2 years ago
#14343 new defect (bug)
user_can_access_admin_page not recognising taxonomies
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Priority: | normal | Milestone: | Future Release |
| Component: | Taxonomy | Version: | 3.0 |
| Severity: | normal | Keywords: | dev-feedback |
| Cc: |
Description
Hello,
I have a custom taxonomy with custom capabilities.
The "edit_customtaxonomy" cap is removed from all roles.
The problem is that the user is still able to click on each term (in the taxonomy page).
When each term is clicked, the user goes to the "Update term" page and he is able to click the "Update" submit button.
After all, he can't update and get a "cheatin huh?" message.
The problem is they should't have access to the update page from the first place.
Attachments (1)
Change History (10)
- Summary changed from Custom taxonomy capabilities (update term) to user_can_access_admin_page not recognising taxonomies
- Milestone changed from 3.0.1 to 3.1
user_can_access_admin_page() should never be relied upon. It is a fallback. We can look into fixing it for pages that have query args in 3.1.
- Keywords dev-feedback added
@ryan: what do you want to do about this one? Stick with quick fix for 3.1 and revisit in 3.2, or will someone patch for 3.1 in time?
This happens for any taxonomy, not just custom defined ones (try visiting edit-tags.php?taxonomy=category as a subscriber). The root of the problem is that user_can_access_admin_page() is not recognising the edit-tags.php?taxonomy=TAX_NAME entry in $_wp_submenu_nopriv since the pagenow global is set to edit-tags.php (note lack of query string).
Quick fix patch (not addressing problem described above) emulates behaviour in edit.php; implements a secondary check after the check in menu.php should deny access.
NB: the the links are all being removed from the menu, talking about visiting the URL directly as a user without the correct privileges.